policy

Your organization’s social media problem can’t be cured with antibiotics

Bill Tolson eDiscovery, Technology , , , , , , ,

You can’t control what employees do away from work on their own time and using their own equipment but companies do have a right to control their brand and that includes how they are represented by their employees on social media sites. For that reason, every organization should develop, implement and enforce a corporate-wide social media policy for all employees (because if you don’t enforce it, then do you really have a policy?).

Gary MacFadden was kind enough to pose a great question in response to my last blog posting titled “Did you hear the one about the Attorney who thought social media was a dating website for singles over 40?”. Gary pointed out that it would be helpful if I could give examples of a corporate social media policy (what it involved) and what the employee education process would be to make employees aware of the policy. With that in mind, here are some aspects of a corporate social media policy:

  1. A policy author with contact information in case employees have questions
  2. An effective date
  3. A definition of what social media is
  4. A description as to why this policy is being developed (for legal defense, brand protection etc)
  5. A description of  what social media sites the company officially participates in
  6. A listing of those employees approved to participate on those sites
    1. The fact that any and all approved social media participations will be done only from corporate infrastructure (this is to protect approved employees from discovery of their personal computers)
    2. A description of topics approved to be used
    3. A description of those topics not approved to be used
    4. A description of any approval authority process
    5. A description of what will happen to the employee if they don’t follow the approved process
  7. A direct statement that unapproved employees that make derogatory remarks about the organization, publish identifying information about clients, employees, or organization financials, talk about organization business or strategy etc. in any social media venue will be punished in the following manner…
  8. A description of how these policies will be audited and enforced

Once the policy is developed, it needs to be communicated to all employees and updated by legal representative on an annual basis. This education process could include steps like:

  1. A regularly updated company intranet site explaining the policy.
  2. A description and discussion of the policy in new employee orientation activities.
  3. A printed description of the policy which the employee signs and returns to the organization.
  4. An annual revisiting of the policy in department meetings.
  5. The publishing of an organization “hot line” to your corporate legal department for real-time questions.

On a related topic, for legal reasons you should be archiving all approved social media participations much like many companies now archive their email and instant message content.

This practice will seem rather draconian to many employees but in reality the organization needs to protect the brand and always have a proactive strategy for potential litigation.

A sampling of various organizations social media policies can be found here. I was particularly impressed with Dell’s.

From a previous blog post titled ”Beware: your facebook posts could end up in court”

Social networking posters beware…your Facebook and other social media accounts may be seen by more than just your friends; in fact, what you post and tweet could become court evidence.

But many of us don’t consider these implications when tweeting and posting. Current employers, potential employers and, yes, even attorneys review social networking sites for information on workers, job candidates and litigants.

Individuals as well as organizations need to carefully consider what they post to these sites. In the personal injury case of McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson, Sept. 9, 2010), Hummingbird Speedway, Inc. sought access to plaintiff’s social network accounts, requesting an eDiscovery production of his usernames, log-ins and passwords.

The olaintiff objected, arguing that the information on those sites was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days. Additionally, the court ordered that plaintiff should not take steps to delete or alter the existing information on his social network accounts. The court said:

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.  In so holding, the court also noted the possibility that communications could be disclosed by friends of the account holder with whom the communications were shared.

Organizations need to establish and enforce employee social media policies to lower their risk and better protect their brand.

Did you hear the one about the Attorney who thought “Social Media” was a dating website for singles over 40?

Bill Tolson eDiscovery, Information Management, Technology , , , , , , , , , , , , , , , , ,

A definition of the term social media from Merriam-Webster states “forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content.”

Another definition of “social media” from online matters reads “Social media is any form of online publication or presence that allows end users to engage in multi-directional conversations in or around the content on the website.”

Examples of social media include facebook, myspace, LinkedIn, twitter, YouTube, and WordPress (free blogging site) among many, many others. Social media is not limited to desktop computers either. Cell phones, smart phones, PDAs, iPhones and iPads are popular examples of mobile devices which can be connected to social media capabilities.

How popular is social media these days?

Facebook: 750 million plus active users (July 2011). Users spend over 700 billion minutes per month on facebook.

Twitter: 175 million total Twitter accounts, 119 million Twitter accounts following one or more other accounts (March 2011) with 177 million tweets sent in one day on M arch 11, 2011

LinkedIn: 100 million users (March 2011)

Based on the above numbers, the social media phenomenon has become a major source of electronic data which in turn means a major target in litigation.

Social media content as a source of evidence in civil litigation has become a popular topic in legal magazines, blogs, twitter posts and other information sources. There are several challenges around social media content from the employee’s point of view and its use in litigation. Individuals tend to view social media content the same way they thought about emails and voicemails years ago – transitory, something that was private and didn’t exist for long anyway. People are shocked that potential employers are looking at the individual’s public facebook page, twitter postings or LinkedIn profile to get a better idea of a job candidate’s background or when police view the same content to help build a case against someone.

“Seriously officer, I wasn’t at that party where someone got shot…I was visiting my grandmother in Fresno”

“Really?… then how come there’s a picture of you at the party holding a bottle of Jack Daniels in one hand and a Glock 9mm in the other hand?”

Does an employer have a right to an employee’s social media content? Some qualifying questions to determine this  would be:

  1. Has the employee mixed personal and business related content in their social media activity?
  2. Was the employee’s social media activity initiated from within the organization’s infrastructure or using their equipment?

In a 2010 US District Court decision, Equal Employment Opportunity Commission v. Simply Storage Management, L.L.C. and O.B. Management Services, the defendant, Simply Storage, sought to discover from  two employees claiming sexual harassment against their supervisors, all photographs and videos posted to their Facebook and My Space accounts, electronic copies, or alternatively hard copies, of their profiles which includes updates, messages, wall comments, causes/groups joined, activity streams, blog entries, blurbs, comments and applications. The EEOC objected to production on the grounds that the request was overbroad, not relevant, unduly burdensome, and improperly infringed on privacy and compliance would harass and embarrass the claimants. Simply Storage defended the request arguing that the claimants’ had put their emotional health at issue implicating all their social communications.

The Court ruled that the EEOC must produce relevant Social Networking Sites (SNS) communications in accordance with its guidelines noting first that SNS content is not shielded from discovery simply because it is locked or private.

In another case, TEKsystems, Inc. v. Hammernick et al., No 0:10-cv-00819, filed in the United States District Court for the District of Minnesota, is the first-known restrictive covenant lawsuit regarding allegedly unlawful conduct via social media (in this case, LinkedIn).

When Hammernick’s employment with TEKsystems ended, she went to work for Horizontal Integration, Inc., also an IT staffing firm. The complaint alleges that, after her employment with TEKsystems ended, Hammernick unlawfully communicated, on behalf of Horizontal Integration, with at least twenty “Contract Employees” via LinkedIn, the premiere social networking website used for business and professional purposes.

The allegations against Hammernick list, by name, the sixteen Contract Employees that she allegedly “connected” with on LinkedIn, in violation of her employment agreement with TEKsystems. This case raises the legal question whether merely “connecting” with professional contacts via professional networking websites constitutes a violation of a restrictive covenant prohibiting such “solicitation” or “contact.” Does the mere existence of a network of professional contacts equal solicitation? Will compliance with a non-solicitation restriction require individuals to “disconnect” or “de-friend” colleagues, customers, or clients of former employers until the non-solicitation period expires?

Smartphones are a super highway into your private social media content

Recently, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF), holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

Do you have a Twitter app or LinkedIn app on your smart phone? Does it automatically enter your logon and password when you start the app? If they do then law enforcement could take a look at you private facebook, LinkedIn or Twitter accounts.

Also be aware, if you voluntarily disclose or enter your mobile phone password in response to police interrogation, any evidence of illegal activity found on (or by way of) your phone is admissible in court, regardless of whether or not you’ve been Mirandized.

Its obvious social media is a new speed bump in the eDiscovery landscape. Employers need to create policies to address their concerns and educate their employees about these policies and the consequences of not following them.

The Four Factor Test for Employee Expectation of Privacy

Bill Tolson eDiscovery , , , ,

On May 23, in SEC v. Reserve Management Co. Inc.,the U.S. District Court for the Southern District of New York ruled that an employee does not have a reasonable expectation of privacy with respect to communications with a spouse through an employer’s email system. In reaching its decision, the court used the four-part test from In re Asia Global Crossing Ltd to determine if the employee had a reasonable expectation of privacy. A key point in this analysis was the presence and actual notice to employees of an email policy that both forbade personal communications and warned employees of possible disclosure of company-controlled email communications. A write up of this outcome from the National Law Review can be viewed here.

Several cases have afforded protection to employees who may reasonably have expected privacy when using company IT systems. In Asia Global Crossing, the court set forth a four-factor test to assess the reasonableness of an employee’s privacy expectation in personal email transmitted through a corporate email system. The Asia Global Crossing test is composed of four basic questions:

  1. Does the company maintain a policy banning personal content or other objectionable use?
  2. Does the company monitor the use of the employee’s computer or email?
  3. Do third parties have a right of access to the computer or emails?
  4. Did the company notify the employee, or was the employee aware, of the use and monitoring policies?

If all four questions can be answered in the affirmative, then the employee should have no expectation of privacy.

This four factor test has been adopted by a number of courts faced with the task of determining the reasonableness of privacy expectations. As the Reserve Management court pointed out, “the cases in this area tend to be highly fact-specific and the outcomes are largely determined by the particular policy language adopted by the employer.”

Further questions that should be considered when putting one of these policies together:

  • Does the company maintain a policy banning personal content or other objectionable use?
    • Is the policy written down?
    • How often is it updated?
    • Was the policy communicated to employees?
    • How was it communicated?
    • Can employees find it if they want to?
    • Was the policy reviewed by legal staff?
  • Does the company monitor the use of the employee’s computer or email?
    • Did the company explain to the employees that the company and other legal entities has a right to access and review employee email?
    • How was this communicated?
  • Do third parties have a right of access to the computer or emails?
    • Was this explained to all employees
    • How was it communicated to the employees?
  • Did the company notify the employee, or was the employee aware, of the use and monitoring policies?
    • How did the company notify the employees?
    • Does the company audit the policy?
    • Does the company enforce the policy?

Some of the added question detail above highlights intent. Is the company’s intention to not allow personal communications from their employees (usually not) or is the intent to educate the employees as to their lack of privacy if they choose to utilize the corporate email system for personal use?

This review serves to remind organizations of the importance of creating and training employees on well thought out “use policies”. A well thought out and comprehensive use policy that employees are not aware of is in reality, not a policy. Lastly, when creating and adopting these use policies, it is always a good practice to get acknowledgements from all employees as to their understanding of the use policy.

Encrypted and hidden files put eDiscovery at risk

Bill Tolson eDiscovery, Technology , , , , , , , , , , , , , , , , , , , , , , ,

There are some pretty nice freeware applications available which allow a user to encrypt and hide files/data/electronic records in plain sight on their computers. Can this pose a problem for IT and corporate legal?  Let me put it this way…how would you find and place ESI that’s encrypted or is both encrypted and made to look like something else on a litigation hold?

Does the fact that encryption applications present in a corporate infrastructure make claims of spoliation if the files can’t be found or decrypted more likely? Is this a problem you should even worry about?

It’s a stretch but in some circumstances this capability could significantly raise your eDiscovery risk. To illustrate this problem further I will specifically talk about an application called TrueCrypt which is a free open-source disk encryption software application for Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is an application for creating and maintaining an on-the-fly-encrypted volume (data storage device as opposed to a single file).This means that you can create an encrypted volume capable of storing many encrypted files which to casual observers, looks like a single file. On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct encryption keys. There are several encryption algorithms available in the application but the most secure is the AES 256-bit key algorithm, the same one used by the federal government in many instances.

Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal storage device (for example, by simple drag-and-drop operations). Files are automatically decrypted on-the-fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume.  Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on-the-fly (right before they are written to the disk) in RAM.

Now, to make matters worse (or better depending) TrueCrypt also can create a hidden encrypted volume within the visible encrypted volume.

The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (Graphic from the TrueCrypt manual)

The principle is that a TrueCrypt volume is created within another TrueCrypt volume. Even when the outer volume is mounted and visible, it would be impossible to prove there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

So to put it another way, an employee trying to hide data from a discovery search could first create an encrypted volume on their hard disk or some other removable device such as a USB stick and store encrypted data on it. Even more diabolical, they could move some innocuous data to it as a decoy and store the real data on the hidden volume inside the original volume. This capability provides the employee plausible deniability in the case of corporate legal or IT forces the employee to decryption the volume they can see.

So the big question is this; how would you as a discovery auditor even know of or find these hidden and encrypted data volumes? In reality it’s not easy. You have to go into it looking for hidden and encrypted data. There are some forensics applications that will at least find and flag encrypted files and volumes including the TrueCrypt format. I am unable to determine if these forensics applications can find and flag hidden volumes.

As a test, I setup a 10 GB TrueCrypt encrypted volume on this computer and named it “Attorney Communication” in a folder I named “contracts”. To the casual observer all they see is a large file in a folder called “contacts” (see below).

Within that encrypted “Attorney Communication” file I copied four decoy files to make it look like those were the important files I was keeping encrypted just in case I am forced to open the encrypted volume by legal (see below).

As you can see above, you can’t tell by looking at it that it contains the hidden 8 GB volume I had also created. That hidden volume is accessible only by typing a totally different password.

The hidden 8 GB TrueCrypt volume on this computer

So how do you find these hidden volumes and files if the employee is not cooperating? If you suspect the employee has been using this technology the first obvious step would be to do a search of the employee’s hard disk looking for an application called “TrueCrypt”. This would be a dead give-away that the employee could have encrypted and hidden data volumes on their computer. This is not  certain because the employee could have installed the TrueCrypt application on a USB stick, which does not integrate with Windows, so when not plugged in to the computer, there would be no trace of the TrueCrypt application.

A second way to find potentially encrypted volumes would be to search for very large files. Usually encrypted volumes will be larger than normal files because they are just that, a large space to store many files. So you could do a Windows search for files over 10 MB and see what you get. An indication would be a large file with no applications associated with it. By this I mean that when you double click the file the system doesn’t recognize it as a standard Windows application and displays the “Open with” dialog box shown below:

That leaves the problem of discovering the hidden volume. A sure but very slow process to test this possibility would be to copy a bunch of files into the encrypted volume, if the employee has opened it, to see if the available storage space id equal to the volume size.  For example the file properties in Windows states my encrypted volume is 10 GB in size but in this example the employee only has 5 MB of files stored in it. To test to see if the volume contains a hidden volume, you could copy an additional 9.95 GB of data into it to see if you get a “volume full” message before all of the data was copied into it. If you could only copy an additional say 1.95 GB before the “volume full” message was received, that would indicate that a hidden 8 GB volume exists.

A faster way to get an indication of hidden volumes is to use a large file finder tool. I found one called “Largefiles3” which had a surprising capability. In this case I ran the application looking for files larger than 10 MB on the C drive.

The interesting capability here is that it found the encrypted volume I named “Attorney Communication” but it determined its size to be 2.147 GB not the 10 GB shown in the Windows file system data. This is because I had created an 8 GB hidden volume inside the “Attorney Communication” volume thereby only leaving 2 GB for the original volume. This is a huge red flag if you are looking for it. Now, without the password you still can’t access the original encrypted volume or the hidden volume but at least you would know it exists and can apply pressure to the employee.

So how do you prevent these encryption applications from putting your eDiscovery processes at risk? The most obvious one is to include in your employee computer use policy a statement prohibiting the use of these types of applications with stated punishments if not followed. This will stop general employees from using this kind of application but will not deter those employees bent on breaking your rules. The obvious next step is to sample and audit your employees to see if these applications are being used. For corporate legal, the main thing you want to establish is your “good faith intent” to make sure your eDiscovery processes are defensible.

Companies Need a Social Media Policy

Bill Tolson eDiscovery , , , , , , , , , , ,

Reuters had an interesting article on social media policies on June 28 at:

http://uk.reuters.com/article/idUKLNE65R01920100628

The article pointed out that trying to stop employees from participating in the social media revolution is near impossible and is not the right strategy in any case. The article advocated giving employees some ground rules (via written policy) about what can be written and to always use a “professional” conduct.

In a perfect world…I would agree, but this assumes employees will follow your “general” policies.

The corporate brand is one of the most valuable assets the company owns with years of investment of money, time and goodwill. To simply give that over to any employee could be disastrous.  Let’s look at the problem from the lawyer’s point of view. Your attorney needs to protect the company from possible litigation and costly eDiscovery requirements wherever possible. Corporate social media needs to be managed just like any other marketing program.

All the social media venues I am aware of in one way or another record and displays thoughts, pictures, links etc for some period of time, sometimes forever. The fact to keep in mind is that if you put it in writing, it’s permanent and is out of your direct control from then on. Now, the first question you need to address is “is social media content discoverable (in the legal sense)? Depending on the case and relevancy of the content, the answer is of course! So do you want any employee “speaking” for the company? If your policy is you allow any employee to use corporate social media accounts or allow those employees to refer to the company in any way, then they could be seen as representing the company. Most successful companies I have worked for in the past have very specific rules around for example speaking to the media without prior approval or training. Why would an organization diverge from that strategy?

I know you can’t control what employees do away from work but companies do have a right to control their brand and that includes how they are represented on social media sites. For that reason, every organization should develop, implement and enforce a corporate-wide social media policy for all employees (because if you don’t enforce it, then do you really have a policy?).

Aspects of a corporate social media policy should include:

  1. A policy author with contact information in case employees have questions
  2. An effective date
  3. A definition of what social media is
  4. A description as to why this policy is being developed (for legal defense, brand protection etc)
  5. A description of  what social media sites the company officially participates in
  6. A listing of those employees approved to participate on those sites
    1. The fact that any and all approved social media participations will be done only from corporate infrastructure (this is to protect approved employees from discovery of their personal computers)
    2. A description of topics approved to be used
    3. A description of those topics not approved to be used
    4. A description of any approval authority process
    5. A description of what will happen to the employee if they don’t follow the approved process
  7. A direct statement that unapproved employees that mention the company, company business, other employees, company customers etc. in any social media venue will be punished in the following manner…
  8. A description of how these policies will be audited and enforced

Once the policy is developed, it needs to be communicated to all employees on a regular basis and updated by legal representative on an annual basis.

A side point is, for legal reasons, you should be archiving all approved social media participations much like many companies now archive their email and instant message content.

This type of policy will seem rather draconian to most employees but in reality the organization needs to protect the brand and always have a proactive strategy to potential litigation.

Employer’s Email Use Policy an Important Factor in Privilege

Bill Tolson Uncategorized , , , , , ,

In a recent article in Law Technology News written by Anthony E. Davis titled “More Privilege Issues With Employee Email”, an interesting issue was posed: Should an employee expect that emails between themselves and their attorney be privileged when using the company’s email system?

Mr. Davis pointed to a case, Leor Exploration & Production LLC, et al., v. Aguiar, 2009 WL 3097207 (S.D. Fla.)(doc), where the court considered this question. The court cited another case, In Re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (SDNY 2005), where four factors were listed:

  1. does the corporation maintain a policy banning personal or other objectionable use,
  2. does the company monitor the use of the employee’s computer or email,
  3. do third parties have a right of access to the computer or e-mails, and
  4. did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?”

In this case, if the answer was yes, then the employee should have had no reasonable expectation of privacy. This highlights the need to a corporate email use policy with documented processes. If through widely disseminated policies, the company did notify the employee of potential monitoring of email and stated that the corporate email system should not be used for personal use, then attorney client privilege is hard to prove.

Companies in the U.S. need to prepare themselves for the eDiscovery process by proactively collecting ESI including employee email so that they can quickly and effectively place legal holds and query that ESI archive for eDiscovery responce.

What should companies do to better protect themselves? Obviously they should develop email use policies that plainly state the above practices and train their employees on the email use policy.

Employees Using Personal Email Accounts to Send Large Files

Bill Tolson eDiscovery , , , , , , , ,

In a recent survey conducted by Osterman Research, it was revealed that 82 percent of employees use their personal email accounts to send large work-related files when an email attachment exceeds the size limit imposed by IT.

Is this a problem?…YES

Lets say your company is involved in civil litigation and has received interrogatories (written questions as part of the discovery process) from opposing counsel. One of the questions could be; “Has any of your employees or contractors ever sent business related emails or attachments to another party using their personal email account?” According to the Osterman data, 82% of your employees will answer yes to that question.

Why is this a problem?

First, your eDiscovery process including legal hold requirements will have to include searching your employees personal email accounts, if they give you permission. In my opinion, that doesn’t relieve you of the responsibility of protecting those responsive emails.

Second, eventually your employees are going to face the possibility of attorneys reading their personal emails and attachments from within their personal email accounts. There are few employees that will think this possibility is a good thing.

So how do you remove or at least lower this possibility?

First, create written email use policies that forbid employees from ever accessing their personal email accounts at work from employer provided equipment.

Second, Include in the above mentioned policy that company related records are never to be sent or received from personal email accounts.

Third, explain to employees that if they violate the policy, they could be fired.

Forth, explain that if they were to violate the policy, attorneys, including opposing counsel may be reading their personal emails in discovery some day.

Fifth, create a way within your infrastructure to send and receive large files so employees don’t have to fall back to using their personal email accounts to send or receive large business related files.

The True Cost of Under Preserving ESI

Bill Tolson eDiscovery , , , ,

The arguments for the under preserving of ESI are well known and varied.  The most prevalent argument I hear for under preserving is “the more data, email, files etc. we keep, the higher the risk that it will be used against me in litigation”.

This is an argument that assumes that all ESI is somehow harmful and should exist for the shortest amount of time as possible. This is one of the main reasons companies adopt the 30/60 or 90 day retention policy for their employees email accounts.

There are two main problems with this type of thinking. First, for those companies that enforce a 30/60 or 90 day retention policy for their email accounts, in reality they are not lowering their risk of “bad” ESI being used against them. They are simply making it more expensive for them to find that ESI when directed by a discovery request.

Employees do not delete all emails, even when they are running up against a “Clean out your mailbox or it will stop working” message from IT. They simply move that email they want to retain out of their email box into a personal archive or PST. The ESI still exists.

The second problem with this 30/60 or 90 day retention policy is it ignores the fact that ESI can help you in litigation. Having access to all relevant data for a given action will help you in determining what your strategy should be in reacting to the litigation. This is called Early Case Assessment (ECA). Reviewing all relevant data for a litigation can tell you if you should settle the case because you can’t prevail or to fight the litigation because you can prove you position in the litigation.

Creating retention policies for your ESI based on business requirements rather than creating retention policies to flush “bad” ESI will insure ESI is available for business use as well as for review during early case assessment.